Adobe source code and customer data stolen in sustained network hack

Theft could give hackers a new way to exploit widely used Acrobat, ColdFusion apps.

Adobe said it suffered a sustained compromise of its corporate network, allowing hackers to illegally access source code for several of its widely used software applications as well as password data and other sensitive information belonging to almost three million customers.

Adobe dropped the bombshell revelation shortly after Krebs on Security's Brian Krebs reported that the hack began sometime in mid-August and was carried out by the same criminals who breached LexisNexis and other major US data brokers. In the course of investigating the earlier intrusions, Krebs said he happened upon a 40 gigabyte trove of source code, much of it belonging to Adobe. Adobe confirmed its ColdFusion Web application software and its Acrobat document program were among those that were stolen.

A new generation of exploits

The Acrobat software family, which is intimately linked to the nearly ubiquitous Reader application, has long been a favorite target of malware developers looking for ways to sneak their malicious wares onto people's computers. The specter of hackers having full access to the raw source code of those applications is troubling, because it could make it easier to identify bugs that can be surreptitiously exploited in drive-by website attacks.

"This breach poses a serious concern to countless businesses and individuals," a statement issued by Hold Security, which assisted in Krebs' investigation, warned. "While we are not aware of specific use of data from the source code, we fear that disclosure of encryption algorithms, other security schemes, and software vulnerabilities can be used to bypass protections for individual and corporate data. Effectively, this breach may have opened a gateway for a new generation of viruses, malware, and exploits."

Adobe Chief Security Officer Brad Arkin said officials aren't aware of any unpatched vulnerabilities being targeted in any of the company's products. "However, as always, we recommend customers run only supported versions of the software, apply all available security updates, and follow the advice of the Acrobat Enterprise Toolkit and the ColdFusion Lockdown Guide," he added. He thanked Krebs and Alex Holden of Hold Security for their help in responding to the intrusion.

Krebs said Adobe engineers are still in the process of checking on the integrity of its source code. The investigation includes looking for "anomalous check-in activity on its code repositories," which could indicate the intruders were able to introduce backdoors or security bugs or otherwise tamper with the underlying applications.

"We are looking at malware analysis and exploring the different digital assets we have," Arkin told Krebs. "Right now the investigation is really into the trail of breadcrumbs of where the bad guys touched."

In an advisory, Arkin said attackers removed information for 2.9 million customers from company computers. That data included customer names, encrypted credit or debit card numbers, expiration dates, and other information relating to orders. Attackers also accessed customer IDs and "encrypted" (by which Adobe probably means cryptographically hashed) passwords. Customer passwords will be reset, and Arkin recommended customers change passwords on other sites if they matched those used in their Adobe accounts. Arkin said company employees have notified banks that process customer payments so they can work with payment card companies and card-issuing banks to protect customer accounts.

Krebs said that one of the related intrusions he uncovered—into the network of the National White Collar Crime Center—appears to have been initiated by exploiting weaknesses in Adobe's ColdFusion product. While Adobe plugged all known security holes in the product a few months ago, many networks run outdated versions that expose the users to serious hacks. "This indeed may have also been the vector that attackers used to infiltrate Adobe's own networks," Krebs said.

Promoted Comments

Adobe is culpable, but I think a lot of the "...I can't believe that Adobe has such lax security..." comments may not appreciate the difficulty in preventing something like this. The economics of cybersecurity are stacked in the favor of bad guys. The scale of "cost to defend vs. cost to attack" is amazing. Plugging all security holes is very expensive, finding one is very cheap. I'll lay out how some of these things can happen. (I don't know how they got compromised so some of this may not apply.)

1. Patching. Yes, you should apply security patches. But it's not always that simple. Software companies have to test and certify their software on what their customers run. So there are some systems that you can't patch. There are other things you can do (isolation, network based protection, integrity checking, etc.) but none of these are 100% effective (nor is patching) and they all have a cost. It's hard to do well.

2. BYOD. The (direct) savings with BYOD are staggering. It's hard for companies to pass up. And now you have a bunch of unmanaged endpoints on your network (they don't have to be on your "corporate network" but they often are). MDM / NAC can give you some protections, but it's still difficult and expensive.

3. Spam / spearphishing. Users click links. You can do a lot of things to prevent this: anti-spam, anti-malware, user training, pull admin rights (technically easy, politically not always so), etc. However it costs someone a lot less to defeat these controls than it does to put up the protections.

4. Business partnerships / globalization. Big companies have big development teams. They're all over the place. Often there are 3rd business partners that require read / write access to source code. This isn't easy to do to make it secure, cheap, and easy for development teams. Now you have thousands of people that have access to source and any one of them can be a vector (intentional and unintentional) to losing data.

5. Organizational factors. Companies need to be fast to be competitive. Security and convenience (frequently associated with speed) clash. Software companies are built by their ability to get a product out the door. When it comes to development / security: tie goes to the developer. (Most often, it should.)

Again, I'm not defending Adobe. They got bit and they're responsible. But it's not as easy as "why didn't they have more security?".